Execution environment file inventory
First Claim
1. One or more non-transitory computer readable media having container management and protection logic encoded therein for managing a system of containers accessible to a computer system, wherein the container management and protection logic, when executed by one or more processors, is to:
- intercept, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers;
identify the targeted container of the intercepted operation request;
analyze an inventory of a plurality of protected containers in the system of containers to determine if an identifier of one of the plurality of protected containers corresponds to an identifier of the targeted container;
identify an entity associated with an initiation of the operation request;
analyze, if the identifier of one of the plurality of protected containers corresponds to the identifier of the targeted container, one or more change authorization policies to determine whether the identified entity is authorized to update the targeted container;
allow the operation request to be performed if it is determined that the identified entity is authorized to update the targeted container;
generate a new identifier for the targeted container after the operation request is performed; and
update the inventory with the new identifier, wherein the new identifier is useable to verify integrity of the targeted container.
9 Assignments
0 Petitions
Accused Products
Abstract
A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.
409 Citations
23 Claims
-
1. One or more non-transitory computer readable media having container management and protection logic encoded therein for managing a system of containers accessible to a computer system, wherein the container management and protection logic, when executed by one or more processors, is to:
-
intercept, dynamically, an operation request in the computer system that is to affect a targeted container in the system of containers; identify the targeted container of the intercepted operation request; analyze an inventory of a plurality of protected containers in the system of containers to determine if an identifier of one of the plurality of protected containers corresponds to an identifier of the targeted container; identify an entity associated with an initiation of the operation request; analyze, if the identifier of one of the plurality of protected containers corresponds to the identifier of the targeted container, one or more change authorization policies to determine whether the identified entity is authorized to update the targeted container; allow the operation request to be performed if it is determined that the identified entity is authorized to update the targeted container; generate a new identifier for the targeted container after the operation request is performed; and update the inventory with the new identifier, wherein the new identifier is useable to verify integrity of the targeted container. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. An apparatus, comprising:
a computer system that includes; an execution unit; a memory element including code for execution; and a storage system that couples to the execution unit and that includes a system of containers accessible to the computer system, the system of containers including a plurality of protected containers that collectively form an inventory of protected containers for the computer system, wherein the code for execution, when executed by one or more processors, is to; intercept, dynamically, an operation request that is to affect a targeted container; identify the targeted container of the intercepted operation request; analyze the inventory of protected containers to determine if an identifier of one of the plurality of protected containers corresponds to an identifier of the targeted container; identify an entity associated with an initiation of the operation request; analyze, if the identifier of one of the plurality of protected containers corresponds to the identifier of the targeted container, one or more change authorization policies to determine whether the identified entity is authorized to update the targeted container; allow the operation request to be performed if it is determined that the identified entity is not authorized to update the targeted container; generate a new identifier for the targeted container after the operation request is performed; and update the inventory with the new identifier, wherein the new identifier is useable to verify integrity of the targeted container. - View Dependent Claims (18, 19, 20, 21, 22, 23)
Specification